The Secret Life of ActionScript
Adobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and mitigations are implemented, vulnerabilities in increasingly obscure corners of Flash are coming to light. This presentation describes the attack surface of Flash, with a focus on recently discovered vulnerabilities.
It will start with an overview of Flash vulnerabilities found in the past year, and discuss how the most common types of vulnerabilities work, the potential for future vulnerabilities in these areas and methodologies for finding them. It will also cover some recently reported vulnerabilities that are less typical, their discoverability and exploitability.
This talk will also discuss recent Flash and platform mitigations, and how they impact bug quality and discoverability.
Crypto for the People
It’s been a tough couple years for crypto protocols. Almost every month a new vulnerability in TLS come out that flattens everything. In this talk I’ll explain the latest set of cryptographic vulnerabilities in plain english. By the end of the talk you’ll hopefully know the difference between FREAK, LogJam, NOOB, DROWN, POODLE and SLOTH (only one of these is made up). We’ll be breaking good crypto and bad with side-channels, signing oracles and downgrades. I’ll also explain how the latest changes to TLS are supposed to fix things and how the entire house of cards may topple once quantum computers arrive.
Car Hacking: The Past, Present, and Future
You might call 2015 “The Summer of Car Hacking,” with multiple exploits presented and the first-ever cybersecurity-related vehicle recall. It grabbed the attention of manufacturers, regulators, lawmakers, and consumers. But the Summer of Car Hacking didn’t just happen out of nowhere. In this talk, I’ll cover some of the history of car hacking, including some of our earlier results, including taking over a 2009 sedan through cellular connections, Bluetooth, Windows Media files, and infected dealer tools. I’ll also talk about more recent work where we compromised aftermarket insurance dongles to hijack control of vehicles. I’ll discuss how a blind-sighted industry began to take security seriously, and cover where I think the industry is headed.